Re: How to secure Flash Video? [Solved?]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tedd,

As Casey noted, there's no totally secure methodolgy, but your's is close
enough - everything is wrapped in the Flash movie, so even if the movie is
sent on to someone else, that someone has to be approved.

We've been doing something similar for several years now, validating against
a database and when validation succeeds, issuing a key stored in the
database and as a Flash (ach, can't remember the name, but Flash's
equivalent of a cookie.)

As for people wanting "total security" - unplug everything and go split
wood. Most security breaches are internal, and usually all that's necessary
is to keep honest people from straying down  the wrong path.

Cheers - Miles

On Jan 5, 2008 1:16 AM, tedd <tedd.sperling@xxxxxxxxx> wrote:

> Hi gang:
>
> Here's my logic, so what's wrong with it?
>
> My sole concern here is to protect a Video from being stolen and/or
> being viewed remotely while allowing "approved" users to view it.
>
> It is a fact that anything you present to a user is theirs. There's
> no stopping them from downloading a Video if they have permission to
> do so. In fact, that's exactly what they do when they view a Video --
> they can't view it in their browser unless their browser has it.
>
> Now, I have investigated several ways to protect videos and prevent
> caching. Some methods are very complex -- but complexity does not
> always guarantee security. Complexity is more likely to present
> problems in its application. Sometimes the simplest method is best.
>
> The simplest protection method I can think of can be done by using
> Flash Video Actionscript in concert with php/mysql.
>
> It's a simple matter to have the Video run the following prior to
> displaying:
>
> theXML.load(http://example.com/security.php)
>
> That's similar to a javascript onload function.
>
> Upon loading the Video, the Video will run the script "security.php"
> which in-turn will check to see if an approved user is attempting to
> view the Video. This done by simply checking a user-id session
> variable in the script that delivers the Video.
>
> If that session variable (user-id ) is empty, then the security.php
> returns nothing.
>
> If that session session is not empty, then the script will check the
> user-id against the database to see if the user has permission to
> view the Video. If the user does not have permission, then the
> security.php script returns nothing.
>
> If everything checks, then the security.php script will return a key
> and the Video will check that key against an internal key -- if a
> match is made, then the video plays.
>
> Now, please note that this will also prohibit the user, even after
> paying for the Video, from downloading the Video for future plays
> because the Video will always check for a key.
>
> Even if the user downloads the Video and takes the Video to a remote
> player, the Video will still try to run the security script seeking a
> key. If the security script is not there, then it fails.  Even if the
> user figures out that the Video requires a key, the still user has no
> way to determine what that internal key is.
>
> So, I think this will work. What say all of you? Where have I screwed up?
>
> And, please no one liners that solve the entire mess and make me look
> like a fool.
>
> Cheers,
>
>  tedd
>
> --
> -------
> http://sperling.com  http://ancientstones.com  http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux